We earn commission when you buy through affiliate links.

This does not influence our reviews or recommendations.Learn more.

Throughout history, private key encryption has been the most common model used.

encryption

But over time the ciphers became more influenced by mathematics and grew in complexity.

The internet is ubiquitous, and it handles a range of critical functions.

The problem is that the internet wasnt wholly designed to scale to what it has become.

internet

At that point, commercial activity was illegal online.

eCommerce wasnt a word that had even been invented yet.

And web site was more of a geographical notion.

cryptography

Things are much different today.

This called for a more secure approach.

The answer was encryption.

https

What we discussed earlier, and what has traditionally been the standard for encryption, is private key encryption.

Rather than a single private key, there is a public-private key pair.

Great, but how is that useful?

tracert

No, to encrypt an internet connection, you would need to use symmetric, private key encryption.

But how do you exchange keys?

This is where well tie all these concepts together.

browser

SSL/TLS (and PKI in general) is just a fancy mechanism for creating and exchanging that session key.

We already introduced HTTP, hypertext transfer protocol, which has been the backbone of the internet for decades.

A more secure protocol was needed.

chain-cert

This is especially important when you consider the nature of a modern internet connection.

What youll see is the path that your connection traveled en route to its destination.

Up to 30 jumps.

security

This is called a man-in-the-middle (MITM) attack.

If you want to learn about MITM attack, thencheck out this online course.

You have no idea who could be listening, or how trivially easy it is to do.

ssl-cert

An HTTP connection is made via port 80.

For our purposes, you might think of ports as constructs that indicate a web connection service or protocol.

A standard website being served via HTTP uses port 80.

cert-type-browser

HTTPS typically uses port 443.

And PKI refers to the whole thing when you zoom out.

Dont worry, you will.

ssl-endpoints

There are dozens of CAs, bothfreeand commercial, that can issue trusted certificates.

The browsers play a unique role in the TLS ecosystem.

Nobody can get anywhere on the internet without their web net internet ride.

handshake

So, given their paramount role, they bear considerable influence.

And its important to keep in mind that browsers have been designed to be as skeptical as possible.

This is the best way to keep their users safe.

expired-ssl-cert

This is where the term certificate chaining comes into play.

This is why you cant issue and self-sign your certificates.

It also acts as a sort of name badge for the site or server youre interacting with.

Certificates vary regarding functionality and validation level.

The downside is that DV SSL certificates assert minimal identity.

Organization Validation SSL certificates are the original jot down of SSL/TLS certificate.

Organization Validation requires a light business vetting and can typically be issued within a day or twosometimes faster.

Because neither DV nor OV SSL certificates assert sufficient identity to satisfy most browsers they receive neutral treatment.

What endpoints to assert Identity on

The other way that SSL/TLS certificates vary is regarding functionality.

Some have multiple domains for different company verticals; others use sub-domains for multiple functions and web applications.

No matter what the context is, theres an SSL/TLS certificate that can help to secure it.

Single Domain

The primary website and the standard SSL certificate are just a single domain.

You cancompare the SSL certificates here.

Most CAs allow up to 250 different SANs on a single certificate.

And most Multi-Domain certificates come with 2-4 complimentary SANs with the rest available for purchase as needed.

There are two downsides to Wildcard certificates though.

The other is that there is no EV Wildcard option.

Because of the Wildcard functionality, Multi-Domain Wildcards are not available in EV, either.

Upon arriving at the website, the server will present the SSL/TLS certificate to the users online window.

The users web client then performs a series of checks.

First, its going to authenticate the certificate by viewing its digital signature and following the certificate chain.

Now its handshake time.

First, theyre going to decide on a cipher suite.

A cipher suite is the group of algorithms and ciphers that will be used for the connection.

The SSL/TLS certificate provides a list of cipher suites that the server supports.

Once both parties have a copy of the session key, communication can commence.

We use public key cryptography to exchange the session keys securely well be communicating with.

TLS is just one component of a broader, holistic cyber defense strategy.

But an important component, nonetheless.

SSL 2.0 and SSL 3.0 are both over 20 years old.

This is dangerous because it exposes you to SSL stripping and downgrade attacks like POODLE.

TLS 1.0 and TLS 1.1 are on borrowed time, too.

Additionally, there are specific algorithms that should not be used, either.

DES, for instance, can be broken in a matter of hours.

RC4 is morevulnerablethan once believed and has already been outlawed by the Payment Card Industrys Data Security Standards.

And finally, given news of recent exploits, its not advisable to use RSA for key exchange anymore.

This is a bad practice.

You should be configuring your entire website for HTTPS.

This is called Always-on SSL.

So make it so.

One of the most significant risks posed by digital certificates, in general, is mis-issuance.

Thats important because it shuts the window on several known exploits, like downgrade attacks and cookie hijacking.

The HSTS preload list of record is run by Google and some variation thereof used by all major browsers.

you’ve got the option to refer to the following implementation guide.

How to Implement SSL in Apache Tomcat?

How to Implement a ZeroSSL Certificate in Apache and Nginx?

How to Implement SSL in WordPress on Shared Hosting, Cloud?

SSL/TLS FAQ

What is an X.509 certificate?

X.509 refers to the pop in of digital certificate that is used with SSL/TLS and other types of PKI.

X.509 is a public key encryption standard.

Occasionally youll see companies use X.509 certificate in place of digital certificate or PKI certificate.

Why do SSL/TLS certificates expire?

There are two reasons for this.

The first is that the internet is continually changing, websites come, and websites go.

The other reason is more technical.

Its harder to proliferate updates and technical changes when certificates dont expire for 3-5 years.

In 2017, maximum validity was reduced from three years to two.

It will likely be shortened to 12 months shortly.

How do you renew an SSL/TLS certificate?

If you let it expire, you start from scratch.

What is HTTPS Inspection?

A lot of larger companies with bigger networks like to have visibility over their traffic.

In that regard, HTTPS is a double-edged sword.

It protects peoples privacy, but it can also help cybercriminals hide, too.

When you dont re-encrypt the traffic, its called SSL Termination.

When you do re-encrypt, thats called SSL bridging.

What is SSL offloading?

SSL offloading is another enterprise practice.

This is sometimes referred to as load balancing.

Why did my CA send me an intermediate certificate?

Remember earlier when we discussed root programs?

Very OS has a root store that it uses to make PKI trust judgments.

Instead, they spin up intermediate roots and issue off those.

The problem is those intermediate roots dont reside in a systems trust store.

What documentation do I need for an Extended Validation SSL certificate?

However, in some locations, this might not be possible.

There are a few things that can assist in expediting the validation though.

If you are interested in learning more, then I would recommendtaking this online course.